JavaScript hijacking is a technique that an attacker can use to masquerade as a valid user and read sensitive data from a vulnerable Web application, particularly one using Ajax (Asynchronous JavaScript and XML). Nearly all major Ajax applications have been found vulnerable.

JavaScript hijacking allows a hacker to gain access to data through a loophole in which an interactive Web site on a given domain can run JavaScript hosted on a different domain. For example, in a Web-based e-mail application that uses Ajax, an attacker can log in as the legitimate user. All of the contents of the e-mail inbox and address book then become available to the hacker. In addition, the hacker may send bogus e-mail messages in the name of the victim.